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About This Guide 


The NetWare® 6.5 Universal Password Deployment Guide provides information on how to 
prepare for and enable Universal Password. 


+ Chapter 1, “Deploying Universal Password,” on page 9 


Documentation Updates 


For the most recent version of the NetWare 6.5 Universal Password Deployment Guide, see the 
Universal Password Deployment Guide Web site (http://www.novell.com/documentation/lg/ 
nw65/universal_password/data/front.html). 


Documentation Conventions 


In this documentation, a greater-than symbol (>) is used to separate actions within a step and items 
in a cross-reference path. 


A trademark symbol E TM, etc.) denotes a Novell® trademark. An asterisk (*) denotes a third-party 
trademark. 


When a single pathname can be written with a backslash for some platforms or a forward slash for 
other platforms, the pathname is presented with a backslash. Users of platforms that require a 
forward slash, such as UNIX*, should use forward slashes as required by your software. 
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Deploying Universal Password 


This section describes how to deploy Universal Password. 


Background 


As Novell® executed on its One Net vision of integrating heterogeneous systems and allowing for 
native systems to interoperate, the traditional Novell password has proven troublesome for 
integration with these heterogeneous systems. With NetWare® 6.5, Novell introduces Universal 
Password, a way to simplify the integration and management of different password and 
authentication systems into a coherent network. 


As part of Novell eDirectory", Universal Password specifically addresses two problems: 
+ Management of multiple types of password authentication methods from disparate systems. 


+ Uniform Password policy enforcment across multiple authentication systems (such as Native 
File Access). 


This is accomplished in NetWare 6.5 by moving all services to utilize a common password, or 
Universal Password, in the system. Backwards compatibility is maintained to support legacy 
systems in the network. 


This deployment guide outlines the steps necessary to prepare for and support Universal Password. 


Universal Password is not turned on by default in NetWare 6.5. This is primarily to avoid the need 
to validate an organization's full network for cryptographic key distribution issues at the time you 
are installing NetWare 6.5. Itis also to postpone the migration from existing NDS? passwords that 
do not correctly support international characters until the administrator is fully aware of the issues. 


Deployment Steps 


Step 1 - Review the Services You Currently Use and Understand their Current 
Password Limitations 


The following table outlines current services in NetWare products and password limitations they 
have. These limitations are addressed by Universal Password: 
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Service 


Novell Client™ for Windows* NT*/ 
2000/XP versions prior to 4.9 and 
Novell Client for Windows 95/98 
versions prior to 3.4. 


Description 


The Novell Client software for file 
and print services. Uses the 
NDS® password, which is based 
on the RSA public/private key 
system. 


Limitations 


+ Limited support for passwords with extended 
characters 


+ Passwords inaccessible from non-Novell 
systems 


+ Password is stored in such a way as to prevent 
extraction, thus disallowing interoperability with 
simple password 


Windows Native Networking 
(CIFS) in NetWare 6 and NetWare 
5.1 (NFAP add-on pack for 
NetWare 5.1) 


Novell's CIFS server as partof the 
Native File Access Protocols. It 
allows Windows* clients to access 
Novell services using the built-in 
Windows Client Networking 
Services. 


+ Uses a separately administered password 
called the simple password 


+ Has no expiration or restriction capabilities for 
the simple password 


+ Attempts to synchronize with NDS password, 
but can get out of sync 


Macintosh* Native Networking 
(AFP) in NetWare 6 and NetWare 
5.1 (NFAP add-on pack for 
NetWare 5.1) 


Novell's AFP server as part of the 
Native File Access Protocols. It 
allows Macintosh clients to 
access Novell services using the 
built-in Macintosh Client 
Networking Services. 


+ Uses a separately administered password 
called the simple password 


+ Has no expiration or restriction capabilities for 
the simple password 


+ Attempts to synchronize with the NDS 
password, but can get out of sync 


LDAP 


Novell's LDAP services allow a 
user to bind using username and 
password across a Secure 
Sockets Layer (SSL) connection. 


+ Limited interoperability with the Novell Client 
Services (NDS password) for extended 
character or international versions 


+ Attempts to utilize the simple password if bind is 
not a simple bind (that is, the bind is using an 
encrypted password). 


LDAP User Import 


Uses ICE or other tools to import 
users from foreign directories into 
eDirectory. Passwords are also 
brought in. 


+ Passwords are imported into the simple 
password system. 


+ Mutually exclusive of NFAP solutions (Windows 
and Macintosh Native File Access) 


+ Password is in its encrypted native format 


Web-Based Services 


Novell Web-based services 
(Apache Web server) 
authentications. This includes 
eGuide, Novell Portal Services, 
and other Web-based 
applications. 


¢ Limited interoperability with the Novell Client 
services (NDS password) for extended 
character or international versions 


+ Not designed to check simple password 


RADIUS Services 


Novell RADIUS Authentication 
Services 


¢ Limited interoperability with the Novell Client 
services (NDS password) for extended 
character or international versions 


+ Not designed to check simple password 


NetWare Remote Manager 


Novell's Web-based server health 
and management interface. 


¢ Limited interoperability with the Novell Client 
services (NDS password) for extended 
character or international versions 


+ Not designed to check simple password 
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Service Description 


Limitations 


+ Uses a separate value for storing the NT 


password 


Synchronized only with the NDS password by 


the Novell Client and the ConsoleOne® and 
NWAdmin snap-in tools 


NDS for NT Novell eDirectory™ Services for 
Microsoft Windows NT 4 Server 
domains. 

DirXML® Password Enables synchronization of 

Synchronization for Windows 1.0 Passwords for NT, Active 

and DirXML Starter Pack Directory*, and eDirectory 
accounts. 


eDirectory password changes made outside of 
the Novell Client will not be synchronized. For 
example, an eDirectory password change made 
through eGuide would not be synchronized to 
Active Directory or NT. 


See Sample Password Scenarios (http:// 
www.novell.com/documentation/lg/ 
dirxmlstarterpack/jetset/data/aktnwz0.html) for 
detailed information about DirXML Password 
Synchronization for Windows. 


Step 2 - Identify Your Need for Universal Password 


If you answer yes to any of the following questions, you should plan to deploy and use Universal 


Password: 


* Do you currently use Native File Access and desire to enforce policies such as password 


expiration and/or password length? 


+ Do you use or plan to use Native File Access (Windows and/or Macintosh)? 


* Do you plan to have international users access Novell Web-based services and/or use the 


Novell Client for Windows NT/2000/XP or the Novell Client for Windows 95/98 to access 


Novell file and print services? 


+ Do you plan to use Novell Nsure Identity Manager 2, powered by DirXML, with its enhanced 


password policy and password synchronization capabilities? 


Step 3 - Verify That Your SDI Domain Key Servers Are Ready for Universal 


Password 


4 Verify that the SDI Domain Key servers meet minimum configuration requirements and have 


consistent keys for distribution and use by other servers within the tree. 


1a From a NetWare server console, load sdidiag.nlm. 


From a Windows server, open a command prompt box and run sdidiag.exe. 


NOTE: The sdidiag.nlm ships with NetWare 6.5 or later. The sdidiag.exe ships with the Windows 
version of eDirectory 8.7.3 or later. Both files are available as part of a security patch (sdidiag21.exe) 


associated with Novell TID 2966746 (http://support.novell.com/severlet/tidfinder/2966746). 


1b Log in as an Administrator by entering the tree name, the server, the context, the user 


name, and the password. 


1c Enter the command CHECK -v >> sys:system\sdinotes.txt 


The output to the screen will display the results of the CHECK command. 


If no problems are found, go to “Step 4 - Upgrade At Least One Server in the Replica 
Ring to NetWare 6.5 or later or eDirectory 8.7.1 or later” on page 13. 
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or 


If problems are found, follow the instructions written to the sys:systemisdinotes.txt file 
to resolve any configuration and key issues. 


2 Verify that the SDI Domain Key Servers are Running NICI 2.4.2 or later 


We recommend that NetWare 6.5 be installed on your SDI Domain Key servers. However, this 
is not required. At a minimum, you need to install NICI 2.4.2 or later on these servers. 


You can verify if NICI 2.4.2 is installed on these servers: 
2a From the server console, execute the NetWare command M NICISDI.NLM. 
The version must be 24212.98 or later. 
If the version is earlier, you must do ONE of the following: 
+ Update the servers’ NICI to version 2.4.2, which requires eDirectory 85.1 or later. 


NOTE: You can download NICI version 2.4.2 from the Novell Free Download site (http:// 
download.novell.com). Select Novell International Cryptographic Infrastructure from the 
Choose a Product drop-down list, then click Submit Search. NICI 2.4.2 requires eDirectory 85.1 
or later. 


Also, you must reinstall NICI 2.4.2 or later if you install an eDirectory upgrade after installing 
NICI. This issue will be resolved with the Consolidated Support Pack 10. 


+ Update the SDI Domain Key servers to NetWare 6.5. 


+ Remove the servers as SDI Domain Key Servers and add a server that meet these 
requirements. 


To remove a server as an SDI Domain Key Server: 
1. At the server console, load SDIDIAG. 


2. Log in as an Administrator that has management rights over the Security container 
and the WO.KAP.Security objects by entering the tree name, the server, the context, 
the user name, and the password. 


3. Enter the command RS -s servername 


For example, if serverl exists in container PRV in the organization Novell within the 
Novell Inc tree, you would type .serverl.PRV.Novell.Novell_Inc. for the 
servername. 


To add a server as an SDI Domain Key Server: 
1. At the server console, load SDIDIAG. 


2. Log in as an Administrator by entering the Tree name, the Server, the Context, the 
User name, and the password. 


3. Enter the command AS -s servername 


For example, if server! exists in container PRV in the organization Novell within the 
Novell_Inc tree, you would type .serverl.PRV.Novell.Novell_Inc. for the 
servername. 


2b After completing one of the options above, you might want to rerun the SDIDIAG check 
command. See Step 1c on page 11. 
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Step 4 - Upgrade At Least One Server in the Replica Ring to NetWare 6.5 or later or 
eDirectory 8.7.1 or later 


1 Identify the container that holds the User objects of those users who will be using Universal 
Password. 


2 Find the partition that holds that container and the User objects. 
3 Identify at least one server that holds a writable replica of the partition. 


4 Upgrade that server to NetWare 6.5 or later or eDirectory 8.7.1 or later. 


You do not need to upgrade all servers in your tree in order to enable Universal Password, but we 
recommend that you eventually upgrade them all. Plan to upgrade the servers that hold writable 
replicas first, followed by those with read-only replicas or no replicas. This allows Universal 
Password support for services on all those servers. 


NOTE: If you have LDAP and CIFS (Windows Native Networking) and/or AFP (Macintosh Native Networking) 
servers that you want to use Universal Password, you must upgrade those servers to NetWare 6.5. 


Step 5 - Check the Container for SDI Key Consistency 


Check to ensure that all instances of cryptographic keys are consistent throughout the tree. Sdidiag 
ensures that each server has the cryptographic keys necessary to securely communicate with the 
other servers in the tree. 


1 From a NetWare server console, load sdidiag.nlm. 
From a Windows server, open a command prompt box and run sdidiag.exe. 


2 Enter the command CHECK -v >> sys:systemisdinotes.txt -n container 
DN 


For example, if user Bob exists in container PRV in the organization Novell within the 
Novell Inc tree, you would type .PRV.Novell.Novell_Inc. for the container DN. 


This reports if there are any key consistency problems among the various servers and the Key 
Domain servers. 


The output to the screen displays the results of the CHECK command. 


3 Ifno problems are reported, you are ready to enable Universal Password. Go to “Step 6 - Turn 
on Universal Password” on page 13. 


or 
If problems are reported, follow the instructions in the sdinotes.txt file. 
In most cases, you will be prompted to run the command RESYNC -T -n container DN. 


This command can be repeated any time NMAS reports -1418 or -1460 errors occur during 
authentication with Universal Password. 


For more information on SDIDIAG options and operations, refer to Novell TID 10081773 
(http://support.novell.com/servlet/tidfinder/10081773). 


Step 6 - Turn on Universal Password 
1 Start Novell iManager. 
2 Under Roles and Tasks > NMAS Management, click Universal Password Configuration. 


3 Typein or browse to select the container, then click View. 
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The current setting should read Disabled. 
4 Click the radio button next to Enable. 
5 Click Apply. 


IMPORTANT: When you enable Universal Password on a container, itis enabled on all existing subcontainers 
as well. If you enable Universal Password at the Tree level, all subcontainers you create after enabling 
Universal Password will be enabled for Universal Password. However, if you enable Universal Password on a 
container below the Tree level, such as, on an Organization (O) or an Organizational Unit (OU), and then 
create a new subcontainer, you must enable Universal Password on that subcontainer. It is not automatically 
enabled. 


NOTE: If you are using Novell Nsure Identity Manager 2, you use Password Management plugins to turn on 
Universal Password and configure Password Policies. These plugins replace the Universal Password 
Configuration task referred to in Step 2. 


Step 7 - Deploy Novell Client Software 


You can deploy the Novell Client for Windows NT/2000/XP version 4.9 or Novell Client for 
Windows 95/98 version 3.4 prior to enabling Universal Password, but the client does not take 
advantage of these services until you enable Universal Password (see “Step 6 - Turn on Universal 
Password” on page 13). The new Novell Client software automatically startss using the Universal 
Password when it is turned on. Users will see no differences in the client. 


NOTE: You must manually install Client NICI 2.6 for Windows or later and NMASTM Client 2.2 in order for 
Novell Client for Windows 95/98 to start using the Universal Password services. 


Backwards Compatibility 
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Universal Password is designed to supply backwards compatibility to existing services. Passwords 
changed with this service will automatically be synchronized to the simple and NDS passwords on 
the User object. This way, NetWare 6 and 5.1 servers running Native File Access protocols for 
Windows and Apple* native workstations will continue to have their passwords function properly. 
Novell Client software prior to the Novell Client for Windows NT/2000/XP version 4.9 or the 
Novell Client for Windows 95/98 version 3.4 will also have their passwords continue to function 


properly. 


The exception to this is the use of international characters in passwords. Because the character 
translations are different for older clients, the actual values will no longer match. Customers who 
have deployed Web-based or LDAP services and who use international passwords have already 
seen these problems and have been required to change passwords so they do not include 
international characters. We recommend that all servers be upgraded to NetWare 6.5 and all Novell 
Client software be upgraded in order for full, system-wide international passwords to function 


properly. 


Novell's NetWare Storage Management Services™ (SMS) infrastructure is used for Novell and 
third-party backup and restore applications. Additionally, the Novell Server Consolidation utility, 
Distributed File Services Volume Move, and Server Migration utilities use SMS as their data 
management infrastructure. The system passwords used by these Novell and third-party products 
cannot contain extended characters if they are to function in a mixed environment of NetWare 4, 
5, 6, and 6.5 servers. However, when all servers are upgraded to NetWare 6.5, extended character 
passwords can be used. 


NOTE: Please refer to Novell TID 10083884 (http://support.novell.com/servlet/tidfinder/10083884). It shows 
which applications/services are Universal Password-capable, as well as which applications/services are 
extended character-capable. Many applications/services can use extended characters without Universal 
Password. 
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The following table shows the expected behavior of Universal Password when it interacts with 


older services. 


Password Change Method 


Novell Client software prior to Novell Client for Windows NT/ 
2000/XP version 4.9 or Novell Client for Windows 95/98 version 
3.4 to any server version 


Passwords Synchronized 


NDS password only. 


Native File Access (Windows or Macintosh) on NetWare 5.1 or 
NetWare 6 


Simple password and NDS password. The password change 
is successful only ifthe old NDS and simple passwords were 
in sync. 


Native File Access (Windows or Mac) on NetWare 6.5 


Universal, simple, and NDS passwords are changed. All are 
synchronized, even if old ones were out of sync. 


LDAP (standard) to NetWare 5.1 or 6 


NDS password only. 


LDAP (extended) to NetWare 5.1 or 6 


Simple password or NDS password is changed (extensions 
specify which one). 


LDAP (standard) to NetWare 6.5 (or NetWare 5.1, 6 running 
eDirectory 87.1) 


Universal, simple, and NDS passwords are changed. All are 
synchronized even if old ones were out of sync. 


LDAP (extended) to NetWare 6.5 


Universal, simple, or NDS password changed (extensions 
specify which one). 


NetWare Administrator (run on a workstation with a client prior 
to version 4.9) to any user object in any container 


NDS password only. 


NetWare Administrator (run on a workstation with the version 
4.9 client) to a User object in a container that has a R/W replica 
on a NetWare 6.5 server (or NetWare 5.1or 6 running eDirectory 
87.1) 


(Untested and unsupported) Universal, simple, and NDS 
passwords are changed. All are synchronized even if old 
ones were out of sync. 


ConsoleOne (run on a workstation with a client prior to version 
4.9) to any User object in any container 


There is a separate change password page for NDS 
password and simple password. 


ConsoleOne (run on a workstation with the version 4.9 client) to 
a User object in a container that has a R/W replica on a 
NetWare 6.5 server (or NetWare 5.1 or 6 running eDirectory 
87.1) 


Universal, simple and NDS passwords are changed. All are 
synchronized even if old ones were out of sync. 


ConsoleOne (run on a workstation with the version 4.9 client) to 
a User object in a container that has no R/W replicas on any 
NetWare 6.5 servers, or NetWare 5.1 or 6 with eDirectory 87.1 
(only R/W replicas on NetWare 5.1 or NetWare 6 servers with 
eDirectory versions older than 87.1) 


There is a separate change password page for NDS 
password and simple password. 


Novell ¡Manager 1.5 (NetWare 5.1 or NetWare 6 only) to any 
user object in any container 


NDS password only. 


Novell ¡Manager 2.0 (NetWare 6.5 only) to a User object in a 
container that has a R/W replica on a NetWare 6.5 server (or 
NetWare 5.1 or 6 running eDirectory 87.1) 


Universal, simple and NDS passwords are changed. All are 
synchronized even if old ones were out of sync. 


Novell ¡Manager 2.0 (NetWare 6.5 only) to a User object in a 
container that does not have any R/W replica on any NetWare 
6.5 server, or NetWare 5.1 or 6 servers running eDirectory 
version 87.1 


NDS password only. 
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Password Change Method 


Passwords Synchronized 


NetWare Remote Manager running on a NetWare 6.5 serverto Universal, simple, and NDS passwords are changed. All are 
a User object in a container that has a R/W replica on a synchronized, even if old ones were out of sync. 

NetWare 6.5 server, or NetWare 5.1 or 6 servers running 

eDirectory version 87.1 


NetWare Remote Manager running on a NetWare 6.5 serverto NDS password only. 
a User object in a container that does not have a R/W replica 
on a NetWare 6.5 server, or NetWare 5.1 or 6 servers running 
eDirectory version 87.1 


NetWare Remote Manager NDS change password running on NDS password only. 
a NetWare 5.1 or NetWare 6 server 


NetWare Remote Manager simple password management Simple password only. 
(NetWare 5.1 and 6 only with Native File Access installed) 


Password Management 


You can use the following methods to administer Universal Password: 


+ 


iManager: Administering passwords by using Novell iManager automatically sets the 
Universal Password to be synchronized to simple and NDS password values for backwards 
compatibility. The NMAS task in iManager does allow for granular management of individual 
passwords and authentication methods that are installed and configured in the system. 


ConsoleOne: The NDS password tab in ConsoleOne run on a NetWare 6.5 server, or on a 
Windows workstation with the Novell Client for Windows NT/2000/XP version 4.9 or the 
Novell Client for Windows 95/98 version 3.4 installed automatically sets the Universal 
Password and synchronizes for backwards compatibility. 


NWAdmin32: The same results should be seen when using NWAdmin32 as with ConsoleOne, 
although Novell does not plan to test this case. 


LDAP: Changing passwords via LDAP on a NetWare 6.5 server also sets the Universal 
Password and synchronizes the others for backwards compatibility. 


Third-party Applications: Third-party applications that are written to Novell's Cross Platform 
Libraries and that perform password management will also set the Universal Password and 
synchronize the others if the newer libraries are installed on the Novell Client for Windows 
NT/2000/XP version 4.9 or the Novell Client for Windows 95/98 version 3.4 workstation or 
NetWare 6.5 server. 


NOTE: If you are using Novell Nsure Identity Manager 2, you can use Password Policies to specify how 
Universal Password is synchronized with NDS, Simple, and Distribution Passwords. In addition, an iManager 
task is provided that lets an Administrator set a user’s Universal Password. 


Issues to Watch For 
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+ 


In a mixed environment of Novell Client software prior to the Novell Client for Windows NT/ 
2000/XP version 4.9 or the Novell Client for Windows 95/98 version 3.4 (including Native 
File Access servers on NetWare 5.1 and NetWare 6), if passwords are changed from those 
older systems, only the older values will be changed, driving the NDS and/or the simple 
password out of synchronization with the Universal password. This might be an issue only for 
users who log in to their account from both older Novell Client workstations (prior to Client 
for Windows NT/2000/XP version 4.9 or Novell Client for Windows 95/98 v3.4) and from 
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newer Novell Client workstations (Novell Client for Windows NT/2000/XP version 4.9 or 
Novell Client for Windows 95/98 version 3.4). If so, the problem will only occur if users are 
either using international characters in passwords or ifthey change the password from the 
older workstation. 


When you disable a user's NDS password, the NDS password is set to an arbitrary value that 
1s unknown to the user. The following describes how some login methods handle this change. 


+ The Simple Password method is not disabled if the NDS password is disabled. The 
Simple Password method uses the Universal Password if it is enabled and available. 
Otherwise, it uses the simple password. If Universal Password is enabled but not set, then 
the Simple Password method sets the Universal Password with the simple password. 


+ The Enhanced Password method is not disabled when the NDS password is disabled. The 
enhanced password does not use the Universal Password for login. However, it can be 
configured to set the Universal Password, if the Universal Password is enabled, when the 
user changes the enhanced password. 


+ The NDS Password method is not disabled when the NDS password is disabled. The 
NDS Password method will use the Universal Password if it is enabled and available. 
Otherwise, it will use the NDS password. Ifthe Universal Password is enabled but not 
set, then the NDS Password method will set the Universal Password with the NDS 
password. 
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